Securing College Data

    Title: Security College Data
    Effective Date: September 2013
    Issuing Authority: Information Technologies
    Program Coordinator:  Director of IT and Libraries
    Last Updated: April 14, 2016

    Purpose of Statement

    This document is intended to provide a summary of the policies and procedures St. Olaf has adopted to help safeguard our digital data.

    Policy

    All employees are expected to know and adhere to the policies that safeguards digital information and data in order to comply with state and federal regulations, as well as College policies.

    Procedures

    Inventory of High Risk Data
    Offices and departments that store or process more than 100 high risk data elements, especially collections of more than 100 Social Security Numbers, should document and discuss their processes with the Information Security Officer. The Information Security Officer will deliver an annual report on high risk data to the Chair of the Information Security Council and then to Director of IT and Libraries.

    Access to Data
    Individuals wishing to access or use college data must request such access through the “data custodian” for that particular data set.  Each office, department, or division that maintains core college data (high, medium, or low risk) is responsible for assigning one or more individuals to serve as data custodians.  These data custodians are responsible for managing the use, access, archiving, and sharing of the data to ensure that it is properly handled within their office area and by those that are granted access to the data.

    Individuals who are given rights to access or use college data are responsible for maintaining the privacy of protected and confidential data and must agree to abide by any college policies and state or federal laws and regulations governing such data. Individuals may be required to take training on FERPA, HIPPA, GLBA, etc. prior to getting access to those data elements.

    In order to maintain the security of the college’s data and information the college retains the authority to:

    1. restrict or revoke any user’s privileges,
    2. inspect, copy, remove, or otherwise alter any data, program, or other system resource that may undermine these objectives, and
    3. take any other steps deemed necessary to manage and protect its information systems and the data and information held within those systems.

    This authority may be exercised with or without notice to the involved users.  St. Olaf College disclaims any responsibility for loss or damage to data or software that results from its efforts to meet these security objectives.  More information on data and responsibilities can be found in the Data Classification Policy statement found at:  https://wp.stolaf.edu/it/data-classification/

    File and Information Privacy
    All information on St. Olaf servers, desktop computers or on computer storage media, including digital mail, is considered college property. While Information Technology (IT) makes every reasonable effort to ensure the security of digital files, employees should be aware of the following:

    Any individual using the St. Olaf College systems and networks from any computer automatically consents to the monitoring of their activities in the course of systems maintenance or security related investigations.  In addition, in order to conduct the college’s business and assure compliance with college policies and the law, the college may need to monitor or review digitally stored information.  If, in the course of such monitoring, systems personnel reveal possible evidence of criminal activity or college policy violations, systems personnel may provide the evidence of such monitoring to the College or law enforcement officials.

    Select employees of IT have access to all information stored on the St. Olaf servers. Those employees may include the custodians of the campus servers maintained by IT and/or IT student workers whose responsibilities are associated with the servers. Such access is necessary in order for IT employees to perform their duties, and is normally exercised upon the request of the account owner, in cases of systems security and performance problems, upon presentation of warrants, subpoenas, or court orders, or upon the request of an individual’s supervisor or Vice President. Supervisors requesting access to an employee’s computer files must first consult with a Vice President and must present a valid work-related issue or need or convincing evidence of probable cause related to a violation of federal or state regulations or college policies before IT staff will access files.

    Every digital file and email message stored on the St. Olaf servers are backed up and, therefore, are reproducible and may be subpoenaed in the event of a court case. Users should be aware of this when creating files and email messages intended for individuals both on and off campus.

    Email correspondence should not be considered private. The individual to whom one sends an email message may allow another person to access the mail message or may forward it to others. In addition, while St. Olaf makes every effort to ensure the security of email messages routed on the College network, email messages sent via the Internet are not guaranteed that same level of security and privacy.

    Personal files and email stored by employees on their college-provided desktop computer or on the St. Olaf servers should not be considered private. In the course of routine maintenance, upon the request of the immediate supervisor, or upon the presentation of warrants, subpoenas, and court orders personal files may be accessed by IT staff.

    Information posted to the Internet is not private and, in most cases, is readable by other individuals around the world.  While it is possible to restrict direct access to on-campus users only, this does not preclude wider distribution of materials.  Users should consider carefully the content and nature of materials shared in light of these realities.

    The full policy on privacy of files can be found at:  https://wp.stolaf.edu/it/privacy-of-electronic-files/

    Entering computer accounts or reading digital files without proper authorization is considered misuse of computers. Individuals suspected of accessing others’ files without permission will be referred to the appropriate office for action. Here is the College’s policy statement on the Use of Campus Technologies: https://wp.stolaf.edu/it/appropriate-use-of-campus-technologies/

    • Who has access to our campus computing systems and networks?
    • When do access rights cease? What if someone is terminated?
    • How do we control digital access to systems and networks?
    • What constitutes misuse?
    • What about personal use of computers and the campus network?

    Off-campus use of data and information
    There are occasions when employees will access high or medium risk data off-campus. The employee must get permission from his or her supervisor prior to accessing the data and information. The employee must present a valid work reason for accessing this data and is responsible for abiding by campus policies.